CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,812)

page 39 of 441

CVE	Sev	Risk	CVSS	Published	Description
CVE-2025-31397	Cri	0.60	9.3	May 23, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Bus Ticket Booking with Seat Reservation for WooCommerce scw-bus-seat-reservation allows SQL Injection.This issue affects Bus Ticket Booking with Seat Reservation for WooCommerce: from n/a through <= 1.7.
CVE-2025-31056	Cri	0.60	9.3	May 23, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Techspawn WhatsCart - Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce WhatsCart-for-WooCommerce allows SQL Injection.This issue affects WhatsCart - Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce: from n/a through <= 1.1.0.
CVE-2025-40635	Cri	0.60	—	May 20, 2025	SQL injection vulnerability in Comerzzia Backoffice: Sales Orchestrator 3.0.15. This vulnerability allows an attacker to retrieve, create, update and delete databases via the ‘uidActivity’, ‘codCompany’ and ‘uidInstance’ parameters of the ‘/comerzzia/login’ endpoint.
CVE-2025-39395	Cri	0.60	9.3	May 19, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPAMS apartment-management allows SQL Injection.This issue affects WPAMS: from n/a through <= 44.0 (17-08-2023).
CVE-2025-39389	Cri	0.60	9.3	May 19, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Solid Plugins AnalyticsWP allows SQL Injection.This issue affects AnalyticsWP: from n/a through 2.1.2.
CVE-2025-39386	Cri	0.60	9.3	May 19, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla Hospital Management System hospital-management allows SQL Injection.This issue affects Hospital Management System: from n/a through <= 47.0(20-11-2023).
CVE-2025-39445	Cri	0.60	9.3	May 19, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in highwarden Super Store Finder superstorefinder-wp allows SQL Injection.This issue affects Super Store Finder: from n/a through <= 7.2.
CVE-2025-39481	Cri	0.60	9.3	May 16, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in imithemes Eventer eventer allows Blind SQL Injection.This issue affects Eventer: from n/a through < 3.11.4.
CVE-2025-32643	Cri	0.60	9.3	May 16, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPGYM allows Blind SQL Injection. This issue affects WPGYM: from n/a through 65.0.
CVE-2025-40628	Cri	0.60	—	May 13, 2025	SQL injection vulnerability in DomainsPRO 1.2. This vulnerability could allow an attacker to retrieve, create, update and delete databases via the “d” parameter in the “/article.php” endpoint.
CVE-2025-47682	Cri	0.60	9.3	May 12, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows SQL Injection.This issue affects SMS Alert Order Notifications: from n/a through <= 3.8.1.
CVE-2025-47657	Cri	0.60	9.3	May 7, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Productive Minds Productive Commerce productive-commerce allows SQL Injection.This issue affects Productive Commerce: from n/a through <= 1.1.40.
CVE-2025-46248	Cri	0.60	9.3	Apr 24, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in M A Vinoth Kumar Frontend Dashboard frontend-dashboard allows SQL Injection.This issue affects Frontend Dashboard: from n/a through <= 2.2.5.
CVE-2025-39471	Cri	0.60	9.3	Apr 18, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pantherius Modal Survey modal-survey.This issue affects Modal Survey: from n/a through <= 2.0.2.0.1.
CVE-2025-39595	Cri	0.60	9.3	Apr 17, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Quentn.com GmbH Quentn WP quentn-wp allows SQL Injection.This issue affects Quentn WP: from n/a through <= 1.2.8.
CVE-2025-39587	Cri	0.60	9.3	Apr 17, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix Cost Calculator Builder cost-calculator-builder allows SQL Injection.This issue affects Cost Calculator Builder: from n/a through <= 3.2.65.
CVE-2025-32665	Cri	0.60	9.3	Apr 17, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WebbyTemplate Office Locator office-locator allows SQL Injection.This issue affects Office Locator: from n/a through <= 1.3.0.
CVE-2025-32636	Cri	0.60	9.3	Apr 17, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in matthewrubin Local Magic local-magic allows SQL Injection.This issue affects Local Magic: from n/a through <= 2.9.0.
CVE-2025-32626	Cri	0.60	9.3	Apr 17, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Job Manager js-jobs allows SQL Injection.This issue affects JS Job Manager: from n/a through <= 2.0.2.
CVE-2025-27302	Cri	0.60	9.3	Apr 17, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Claudio Adrian Marrero CHATLIVE chatlive allows SQL Injection.This issue affects CHATLIVE: from n/a through <= 2.0.1.

CVE-2025-31397CriMay 23, 2025
risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Bus Ticket Booking with Seat Reservation for WooCommerce scw-bus-seat-reservation allows SQL Injection.This issue affects Bus Ticket Booking with Seat Reservation for WooCommerce: from n/a through <= 1.7.
CVE-2025-31056CriMay 23, 2025
risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Techspawn WhatsCart - Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce WhatsCart-for-WooCommerce allows SQL Injection.This issue affects WhatsCart - Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce: from n/a through <= 1.1.0.
CVE-2025-40635CriMay 20, 2025
risk 0.60cvss —epss 0.00
SQL injection vulnerability in Comerzzia Backoffice: Sales Orchestrator 3.0.15. This vulnerability allows an attacker to retrieve, create, update and delete databases via the ‘uidActivity’, ‘codCompany’ and ‘uidInstance’ parameters of the ‘/comerzzia/login’ endpoint.
CVE-2025-39395CriMay 19, 2025
risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPAMS apartment-management allows SQL Injection.This issue affects WPAMS: from n/a through <= 44.0 (17-08-2023).
CVE-2025-39389CriMay 19, 2025
risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Solid Plugins AnalyticsWP allows SQL Injection.This issue affects AnalyticsWP: from n/a through 2.1.2.
CVE-2025-39386CriMay 19, 2025
risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla Hospital Management System hospital-management allows SQL Injection.This issue affects Hospital Management System: from n/a through <= 47.0(20-11-2023).
CVE-2025-39445CriMay 19, 2025
risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in highwarden Super Store Finder superstorefinder-wp allows SQL Injection.This issue affects Super Store Finder: from n/a through <= 7.2.
CVE-2025-39481CriMay 16, 2025
risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in imithemes Eventer eventer allows Blind SQL Injection.This issue affects Eventer: from n/a through < 3.11.4.
CVE-2025-32643CriMay 16, 2025
risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPGYM allows Blind SQL Injection. This issue affects WPGYM: from n/a through 65.0.
CVE-2025-40628CriMay 13, 2025
risk 0.60cvss —epss 0.00
SQL injection vulnerability in DomainsPRO 1.2. This vulnerability could allow an attacker to retrieve, create, update and delete databases via the “d” parameter in the “/article.php” endpoint.
CVE-2025-47682CriMay 12, 2025
risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows SQL Injection.This issue affects SMS Alert Order Notifications: from n/a through <= 3.8.1.
CVE-2025-47657CriMay 7, 2025
risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Productive Minds Productive Commerce productive-commerce allows SQL Injection.This issue affects Productive Commerce: from n/a through <= 1.1.40.
CVE-2025-46248CriApr 24, 2025
risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in M A Vinoth Kumar Frontend Dashboard frontend-dashboard allows SQL Injection.This issue affects Frontend Dashboard: from n/a through <= 2.2.5.
CVE-2025-39471CriApr 18, 2025
risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pantherius Modal Survey modal-survey.This issue affects Modal Survey: from n/a through <= 2.0.2.0.1.
CVE-2025-39595CriApr 17, 2025
risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Quentn.com GmbH Quentn WP quentn-wp allows SQL Injection.This issue affects Quentn WP: from n/a through <= 1.2.8.
CVE-2025-39587CriApr 17, 2025
risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix Cost Calculator Builder cost-calculator-builder allows SQL Injection.This issue affects Cost Calculator Builder: from n/a through <= 3.2.65.
CVE-2025-32665CriApr 17, 2025
risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WebbyTemplate Office Locator office-locator allows SQL Injection.This issue affects Office Locator: from n/a through <= 1.3.0.
CVE-2025-32636CriApr 17, 2025
risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in matthewrubin Local Magic local-magic allows SQL Injection.This issue affects Local Magic: from n/a through <= 2.9.0.
CVE-2025-32626CriApr 17, 2025
risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Job Manager js-jobs allows SQL Injection.This issue affects JS Job Manager: from n/a through <= 2.0.2.
CVE-2025-27302CriApr 17, 2025
risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Claudio Adrian Marrero CHATLIVE chatlive allows SQL Injection.This issue affects CHATLIVE: from n/a through <= 2.0.1.